[aur-general] [REVIEW REQUEST] python-viivakoodi

Quentin Bourgeois quentin at bourgeois.eu
Sun Nov 27 15:30:10 UTC 2016

On 16-11-26 19:27:37, Eli Schwartz via aur-general wrote:
> On 11/26/2016 01:01 AM, Florian Bruhin wrote:
> >>   * Upstream does not provide any GPG signature of the tarballs nor
> >>   commit signature. I've chosen to provide a detached GPG signature
> >>   of the downloaded tarball with my GPG key. For me, its better to
> >>   have this link-ability between the package maintainer and the
> >>   downloaded tarball than nothing at all.
> > 
> > Not sure if that makes much sense, and FWIW I've had some issues with
> > people not being able to install AUR packages with PGP keys. I don't
> > recall exactly what the problem was though...
> This. GPG signatures are meant to prove that upstream really released
> it, but if all you know is that the AUR maintainer *thinks* this is the
> upstream release, you might as well just stick with checksums, which
> will serve just as well to prove the source code is the same source code
> the AUR maintainer used.
> Anyone who can defeat the checksum (by modifying your PKGBUILD) can also
> defeat your own GPG key.
You are right I have remove this, my first goals was to sign my
PKGBUILD file I don't think its possible ?

On 16-11-26 07:01:15, Florian Bruhin wrote:
> > optdepends=('inkscape: tools for manipulating vector objects (eg: SVG files)')
> You'd usually put an explanation when/why inkscape is needed here.
Inkscape (or any other tool for SVG handling) is needed if one would
like to see the result of generated document in SVG format. As there
could be a long list I am not sure if such dependencies should be put
into PKGBUILD, even in optdepends ?

> >     if [ -f LICENSE ]; then
> >         install -Dm0644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
> >         install -Dm0644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE.launcher"
> >     else
> >         warning "license file not found"
> >     fi
> Why would it ever not exist?
I add this check in case upstream change for any reason and not break
the build process. The warning should be enough to let me investigate.
I generally don't perform operation on resource that could not be
present, I just applied this here too.

Thanks for your feedback, I have updated the PKGBUILD[0].

[0] https://git.bourgeois.eu/aur_python_viivakoodi.git/tree/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20161127/e8af9c8f/attachment.asc>

More information about the aur-general mailing list